lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20201031142712.GA10193@orbyte.nwl.cc>
Date:   Sat, 31 Oct 2020 15:27:12 +0100
From:   Phil Sutter <phil@...filter.org>
To:     netfilter@...r.kernel.org, netfilter-devel@...r.kernel.org
Cc:     netdev@...r.kernel.org, netfilter-announce@...ts.netfilter.org,
        lwn@....net
Subject: [ANNOUNCE] iptables 1.8.6 release

Hi!

The Netfilter project proudly presents:

iptables 1.8.6

This release contains the following fixes and enhancements:

iptables-nft:
- Fix ip6tables error messages, they were incorrectly prefixed
  'iptables:'.
- Fix for pointless 'bitwise' expression being added to each IP address
  match, needlessly slowing down run-time performance (by 50% in worst
  cases).

iptables-nft-restore:
- Correctly print the flushed chains in verbose mode, like legacy
  restore does.
- Restoring multiple tables could fail if a ruleset flush happened in
  parallel (e.g. via 'nft flush ruleset').
- Fix for bogus error messages if a refreshed transaction fails.
- Support basechain policy value of '-' (indicating to not change the
  chain's policy).
- Fix for spurious errors in concurrent restore calls with '--noflush'.

iptables-legacy:
- Allow to configure lock file location via XTABLES_LOCKFILE environment
  variable.

xtables-monitor:
- Fix printing of IP addresses in ip6tables rules.

xtables-translate:
- Exit gracefully when called with '--help'.
- Fix some memory leaks.
- Add support for conntrack '--ctstate' match.
- Fix translation of ICMP type 'any' match.

libxtables:
- Fix for lower extension revisions not supported by the kernel anymore
  being retried each time the extension is used in a rule. This
  significantly improves performance when restoring large rulesets which
  extensively use e.g. conntrack match.

tests:
- Add help text to tests/shell/run-tests.sh.
- Test ip6tables error messages also, not just return codes.

General:
- Rejecting packets with ctstate INVALID might close good connections if
  packet reordering happened. Document this and suggest to use DROP
  target instead.
- Fix for iptables-apply script not being installed by 'make install'.
- Fix 'make uninstall', it was completely broken.
- Fix compiler warnings when building with NO_SHARED_LIBS.
- Extend 'make clean' to remove some generated man pages left in place.
- Fix for gcc-10 zero-length array warnings.

See the attached changelog for more details.

You can download it from:

http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.8.6

To build the code, libnftnl 1.1.6 is required:

* http://netfilter.org/projects/libnftnl/downloads.html#libnftnl-1.1.6

In case of bugs and feature requests, file them via:

* https://bugzilla.netfilter.org

Happy firewalling!

View attachment "iptables-1.8.6.txt" of type "text/plain" (2139 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ